🛠️Trusts
This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the category name
Theory
Practice
Enumeration
From UNIX-like systems, tools like NetExec (Python) and ldapsearch (C) can be used to enumerate trusts.
# ldapsearch
ldapsearch -h ldap://$DC_IP -b "CN=SYSTEM,DC=$DOMAIN" "(objectclass=trustedDomain)"
# NetExec
nxc ldap <DC_IP> -u <USER>-p <PASSWORD> -M enum_trustsFrom Windows systems tools like PowerView (PowerShell) and netdom may be used to enumerate trusts :
netdom
From domain-joined hosts, the netdom cmdlet can be used.
netdom trust /domain:DOMAIN.LOCALPowerView
Alternatively, PowerSploit's PowerView (PowerShell) supports multiple commands for various purposes.
# Enumerate domain trust relationships of the current user's domain
Get-NetDomainTrust
Get-NetDomainTrust –Domain [Domain Name]
Get-NetDomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
# Enumerate forest trusts from the current domain's perspective
Get-NetForestTrust
Get-NetForestDomain -Forest [Forest Name]
# Enumerate all the trusts of all the domains found
Get-NetForestDomain | Get-NetDomainTrust
# Enumerate and map all domain trusts
Invoke-MapDomainTrust
#Get users with privileges in other domains inside the forest
Get-DomainForeingUser
#Get groups with privileges in other domains inside the forest
Get-DomainForeignGroupMemberThe global catalog is a partial copy of all objects in an Active Directory forest, meaning that some object properties (but not all) are contained within it. This data is replicated among all domain controllers marked as global catalogs for the forest. Trusted domain objects are replicated in the global catalog, so we can enumerate every single internal and external trust that all domains in our current forest have extremely quickly, and only with traffic to our current PDC.
(by Will Schroeder on blog.harmj0y.net)
BloodHound
BloodHound can also be used to map the trusts. While it doesn't provide much details, it shows a visual representation.
Forging Tickets
Resources
Last updated
